A new threat actor, tracked by security researchers at Microsoft as DEV-0569, is using Google ads to distribute various post-compromise payloads, including Royal ransomware, which first emerged in September 2022.

“Observed DEV-0569 attacks show a pattern of continuous innovation, with regular incorporation of new discovery techniques, defense evasion, and various post-compromise payloads, alongside increasing ransomware facilitation,” a new report from Microsoft’s Security Threat Intelligence team said.

Typically, the group relies on malvertising, phishing links that point to a malware downloader posing as software installers or updates embedded in spam emails, fake forum pages, and blog comments. Over the past few months, the researchers observed some changes in DEV-0569’s delivery methods, including the use of contact forms on targeted organizations’ websites to deliver phishing links, and expansion of their malvertising technique by abusing Google Ads.

The links delivered to potential victims through malicious ads, phishing emails and other means lead to malicious files signed by the attacker using a legitimate certificate.

“The malicious files, which are malware downloaders known as BATLOADER, pose as installers or updates for legitimate applications like Microsoft Teams or Zoom. When launched, BATLOADER uses MSI Custom Actions to launch malicious PowerShell activity or run batch scripts to aid in disabling security solutions and lead to the delivery of various encrypted malware payloads that is decrypted and launched with PowerShell commands,” Microsoft explained.

In a campaign carried out between August to October 2022, BATLOADER was delivered via fake installers for popular software like TeamViewer, Adobe Flash Player, Zoom, and AnyDesk. The malware was hosted on attacker-created domains and on legitimate repositories like GitHub and OneDrive

In another campaign, observed in September and October 2022, the threat actor was seen disabling security solutions using the open-source NSudo tool, as well as using contact forms on public websites to distribute malware, including the IcedID (BokBot) malware dropper.